Troubleshooting

Usage of EmptyDir volume "log" exceeds the limit

This error is caused by Logback only checking every 60 seconds ("checkIncrement") if log rotation should be triggered and causing the log file to become larger than the log Volume attached to NiFi Pods. Starting with SDP 24.11 checkIncrement is set to 5 seconds in the Logback config and size of the log Volume attached to NiFi Pods has been increased from 33 MiB to 500 MiB.

If you still encounter this error in rare cases of very high load on NiFi you can further increase the log Volume size.

spec:
  nodes:
    podOverrides:
      spec:
        volumes:
        - emptyDir:
            sizeLimit: 1Gi
          name: log

HTTP ERROR 400 Invalid SNI

This error occurs when accessing NiFi 2.0 or later, which enforces SNI (Server Name Indication) validation for HTTPS connections. The hostname in the request must match one of the hostnames in NiFi’s TLS certificate.

For complete technical background, see the upstream issue NIFI-14858.

When using Ingress

If you’re accessing NiFi through a Load Balancer or Reverse Proxy, it must forward requests using the FQDN of the NiFi service, not just the service name.

For nginx ingress, configure the upstream-vhost annotation to use the service FQDN:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    # We need to use the FQDN, so that NiFi has a cert for the host and does not throw
    # HTTP ERROR 400 Invalid SNI
    nginx.ingress.kubernetes.io/upstream-vhost: "nifi.default.svc.cluster.local"
  name: nifi-ingress
spec:
  ingressClassName: nginx
  rules:
    - host: nifi.my.corp
      http:
        paths:
        - backend:
            service:
              name: nifi
              port:
                number: 8443
          path: /
          pathType: Prefix
# ...

For additional details, see this article.

When using Load Balancers or other proxies

When Load Balancers, API Gateways, or other proxy services sit in front of NiFi, they might forward requests with hostnames that don’t match NiFi’s TLS certificates. This commonly occurs because:

  • The proxy uses a different hostname than what’s in NiFi’s certificate

  • NiFi is unaware of the external hostnames used to reach the proxy

  • Certificate management in Kubernetes makes it complex to include all possible hostnames

Workaround: Disable SNI validation

Since this scenario is common and difficult to resolve through certificate management, you can disable SNI validation in NiFi:

nodes:
  configOverrides:
    nifi.properties:
      nifi.web.https.sni.required: "false"
      nifi.web.https.sni.host.check: "false"

These properties control NiFi’s SNI validation behavior:

  • nifi.web.https.sni.required: When true, NiFi requires that HTTPS requests include the SNI extension (containing the server_name). Setting to false allows connections without SNI. Be aware: SNI is not used for IP based connections, so if this is set to true any connections using IPs only will not work.

  • nifi.web.https.sni.host.check: When true, NiFi validates that the value of the Host header is a valid Subject in the Certificate. Setting to false disables this hostname matching check.

Disabling SNI validation reduces security by allowing connections with mismatched hostnames. Only use this workaround when proper certificate configuration is not feasible.

authorization_request_not_found when using multiple NiFi nodes

In case you are using multiple NiFi nodes and OpenID connect as authentication method, it is important that a client (such as your Browser) always accesses the same NiFi instance. Otherwise the authorization_request_not_found error is returned.

If you are using an nginx ingress, you can achieve this with the following annotations:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/affinity: "cookie"
    nginx.ingress.kubernetes.io/session-cookie-name: "route"
    nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"

packaging.version.InvalidVersion: Invalid version: '1.27.0-stackable0.0.0-dev' when connecting to NiFi using nipyapi

When using nipyapi version < 0.20.0, some functions check the version of the NiFi instance. This results in an error where the custom version strings introduced in SDP release 25.7 can’t be parsed.

Solution: Upgrade to nipyapi >= 0.20.0 where this is fixed. Our images are already using a version that is recent enough.